IE8: User Style Sheet Bug Crashes on SELECT Element Expansion

This was an exploitable crash triggered by a user style sheet interaction with a SELECT element. Simply expanding a dropdown SELECT widget on a page that had a particular style sheet applied would cause IE to dereference a corrupted vtable pointer, landing in mshtml!QIClassID. The crash was rated EXPLOITABLE.

<meta http-equiv="X-UA-Compatible" content="IE=9" />

<!-- The ClickJacket.localScript.css user style sheet is the trigger -->
<!-- Loading the page with the user style applied and expanding the SELECT crashes IE -->

<input type="text" id="code" value="document.body.innerHTML = 1; // Crash!" size="40">
<select><option>EXPAND ME TO CRASH</option></select> (retry if no crash)

<iframe src="restricted.html" security="restricted" width="600" height="120" border="1"></iframe>

The crash happens inside CSelectElement::get_selectedIndex when IE queries the select element’s index while the popup is opening. The user style sheet (ClickJacket.localScript.css) corrupts the element’s internal state in a way that causes a vtable dispatch through an invalid pointer. The WinDBG session showed EIP landing at mshtml!QIClassID+0x45 attempting a call through a value of 0xc25d5e5f.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.